VMware's ESXi freeware raises scurity concerns

VMWare’s move to make its ESXi virtual server available free as it prepares for the threat of competition from Microsoft's Hyper-V hypervisor will be welcome by many IT departments, but carries risk


ESXi is a cut-down form of the VMware ESX server designed to be embedded on servers and sold as a pre-installed and virtual-machine-ready. Dell, HP, and IBM all currently sell hardware with ESXi embedded.

That makes the installation more convenient. But unfortunately it doesn't do much about the security of the appliance.

ESXi is part of the larger virtual infrastructure and should be secured just like any other component. Security guidelines from the federal Defense Information Security Agency and VMware's own Hardening Guidelines start the discussion on this, but it is not sufficient. Securing ESXi includes securing all things that touch it.

This implies securing storage, management tools, networks, operations, virtual machines and everything else connected to the virtual infrastructure. Everything that is part of the virtual infrastructure touches on the virtualisation server.

ESXi and VMware ESX both boot the same way, or nearly so. The difference is that instead of booting a management appliance virtual machine that contains GNU/Linux, ESXi boots a management appliance virtual machine that contains a Posix environment called Busybox.

ESXi cannot be treated as an appliance. Any exploit found should be addressed by VMware and by any vendor implementing ESXi. Just as there are exploits for every other operating system, there are ones for ESXi and for Busybox.

Like VMware ESX, security patches for VMware ESXi should also come direct from VMware. All you can do is remediate some aspects by implementing better total Virtual Infrastructure Security.

ESXi contains the same VMware daemons that VMware ESX contains including webAccess-which is subject to a fairly well known SSL MiTM attack; vulnerability to that attack exists within ESXi as well as in ESX. Use of webAccess should therefore be restricted to an administrative network.

There are more and more third-party tools becoming available to manage both ESX and ESXi. These also need to be coded properly to use the VMware SDK, which is over VMware webAccess.

In this way VMware ESXi is no different than VMware ESX. Security of ESXi depends on the security of the virtual infrastructure, not the other way around. Use of ESXi might be more convenient in some cases, but be sure not to assume having vendors pre-install it on their hardware means the appliance is secure.

"Recommended For You"

Application acceleration goes virtual VMware sued for alleged GPL license infractions